[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Trusted HTTP-FUSE KNOPPIX501 is released

"Trusted HTTP-FUSE KNOPPIX501" is released. It keeps Trusted Boot with
TPM(Trusted Platform Module) and Trusted GRUB.
  http://unit.aist.go.jp/itri/knoppix/http-fuse/index-en.html

We developed a trusted network loopback block device "Trusted
HTTP-FUSE CLOOP" and integrated it to KNOPPIX. It also includes
Trusted GRUB and enables Trusted Boot with TPM1.1. It keeps log of
attached devices and accessed block. We can confirm the attestation
from the log. The Bootable CD size is only 9MB, because the block
device is obtain via Internet using Trusted HTTP-FUSE KNOPPIX.
  Trusted GRUB
   http://trousers.sourceforge.net/grub.html  

* ISO file (only 9MB) 
  http://unit.aist.go.jp/itri/knoppix/http-fuse/httpfuse-trusted_20061101.iso 
  (MD5:c98fcc4b77404b69dcc96b71de1d6a3d)

* Usage
* Requirement: 
   * Internet connection. 
   * PC which can deal with Trusted boot using TPM1.1. Please turn on
     TPM in BIOS. We confirmed Trusted Boot on IBM ThinkPAD X30&T42.

   Burn a CD-ROM with the iso  file. Boot from the CD-ROM. You can add
   options  at GRUB  stage  1.5.  During booting  you  finds menu  for
   download  server   of  block  files.  Please   select  the  nearest
   server.  (3 servers  in EU,  3  servers in  US, and  13 servers  in
   Japan.)

* Additional Options: 
   * http_proxy= 
      Designate proxy URL. 
      Example http_proxy=http://proxy.aist.go.jp:8080 
   * staticipaddress 
      Set Static IP address during boot sequence. 
      "IPaddress:", "Netmask:", "Default Gateway:", "Name Server:" 
   * memcache 
      Download block files to RAM DISK. Requires much memory. 
   * nocache 
      Block files aren't saved. 
   * fuse_uri= 
      Designate direct URI of block files. 
      Example fuse_uri=http://ring.aist.go.jp/archives/linux/knoppix/knx501tpm/knoppix501en 

* How to check Trusted Boot (Example: on ThinkPAD T42 & X30 with Atmel
  TPM 1.1 Chip)
  * Check the Trusted Boot 
  * Preparation 
   # modprobe atml_tpm 
   # mount -t security none /sys/kernel/security 
   Check the log of Trusted Boot 
   # cat /sys/kernel/security/tpm0/ascii_bios_measurement
   5 2907b0a74e2e025f863bda3dd55a9ada385dcf28 04 [Event Separator]
   6 2907b0a74e2e025f863bda3dd55a9ada385dcf28 04 [Event Separator]
   7 2907b0a74e2e025f863bda3dd55a9ada385dcf28 04 [Event Separator]
   4 c1e25c3f6b0dc78d57296aa2870ca6f782ccf80f 05 [Calling INT 19h]
   4 38f30a0a967fcf2bfee1e3b2971de540115048c8 05 [Returned INT 19h]
   4 7ca42b22324927c400263bae94e1e7cc28655532 05 [Booting CD ROM]
   4 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 01 [POST CODE]
   5 3315669a981d24f825eff4f2cc6f1d35093dfe8b 01 [POST CODE]
   8 27fb6f0e387394ff8a125e225ab0eed21496f773 01 [POST CODE] *** kernel "linux"
   8 0e8daebdd20d97a3761803c473bc77ed82a5e996 01 [POST CODE] *** miniroot "minirt.gz" 

   Confrim the SHA1 value.
   # sha1 /mnt/cdrom/boot/isolinux/linux
   27fb6f0e387394ff8a125e225ab0eed21496f773 /mnt/cdrom/boot/isolinux/linux
   # sha1 /mnt/cdrom/boot/isolinux/minirt.gz
   0e8daebdd20d97a3761803c473bc77ed82a5e996 /mnt/cdrom/boot/isolinux/minirt.gz

  * Check the Register of TPM 
   # cat /sys/device/platform/tpm_atmel/pcrs
   PCR-00: EC 44 13 64 3D 36 06 10 C0 26 D2 90 79 FD 95 A4 D6 FC B9 C1
   PCR-01: C0 A9 46 A3 A4 24 B2 F0 61 2C BA B7 9D 81 E4 F8 1A 71 AC 67
   PCR-02: EB B3 BA AE E7 57 4B B6 37 AA AB 67 0F 9A C1 BC EB 6F 80 F3
   PCR-03: 04 FD EC DD 50 1D AF 0F 62 4C 1F 99 60 12 CF 30 44 FF 46 10
   PCR-04: 01 56 4F A7 09 AE 00 B1 90 84 28 D3 09 09 A1 F9 AD B5 53 29
   PCR-05: 1A F1 39 04 08 69 63 DE 79 41 E4 2E 68 DE 2E B0 B7 85 BD 82
   PCR-06: 04 FD EC DD 50 1D AF 0F 62 4C 1F 99 60 12 CF 30 44 FF 46 10
   PCR-07: 04 FD EC DD 50 1D AF 0F 62 4C 1F 99 60 12 CF 30 44 FF 46 10
   PCR-08: AF 8F 70 C0 A6 92 7C 6F A6 FA 6B F1 D8 94 AC F0 F2 04 BC CA
   PCR-09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   PCR-10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   PCR-12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   PCR-14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  * Check the log of Trusted HTTP-FUSE CLOOP 
   # tail -f /var/log/fs_wrapper_PID.log 
   1150452051.109: #00000000(845b31ded38e15c1fa8febf97fe0781f23af98c3) :missed.
   1150452051.112: #00000000(845b31ded38e15c1fa8febf97fe0781f23af98c3) :hits.
   1150452051.112: #00000001(166cbaedbb1cc836e7c95d7d9943efde5a53829e) :missed.
   1150452051.113: #00000002(29c4e363dbad648072751ca1f856e5780dd2981d) :missed.
   1150452051.114: #00000003(fa8ad05b713a9cf8a701636ca6c353dc58fd6bfd) :missed.
   1150452051.114: #00000004(1f82a543fa9310c44eff6a13618beca3cacffc12) :missed. 
   When you run a application, accessed blocks are logged. Please confirm.

* Publications: 
(1) "Trusted Boot of HTTP-FUSE KNOPPIX", Kuniyasu Suzaki, Toshiki
     Yagi, Kengo Iijima(AIST), Megumi Nakamura, Seiji Munetoh (IBM
     Japan), Linux-Kongress 2006,

(2) "Security Enhancement of HTTP-FUSE Knoppix Client by Trusted
    Computing", Megumi Nakamura, Seiji Munetoh (IBM Japan), Kuniyasu
    Suzaki, Kengo Iijima, Toshiki Yagi, Ichiro Osawa (AIST), ISEC2006
    (Written in Japanese)

------
suzaki
Reply to: